A few days ago, some media reports claimed that the Kelihos botnet was being put back into operation. However, Microsoft has now said that has not happened, although it admits that a new malware threat with similarities to the Kelihos botnet has appeared.

Contrary to some reports, Kaspersky and Microsoft have no evidence that the botnet that was taken down in September has returned to the control of cybercriminals or is spamming again at this time. However, we have seen evidence of distribution of new malware that appears to be a slightly updated variant of the malware that built the original Kelihos botnet. This does not mean that the Kelihos botnet we took down is back in operation, but that a new version of Kelihos malware known as “Backdoor:Win32/Kelihos.B” is being used to create a new botnet. Microsoft has already made protection from this new malware variant available in the Malicious Software Removal Tool (MSRT). This kind of effort by botherders to try to rebuild a botnet from the ashes of the old is not new.

Microsoft said that the original news reports were based on a statement from one of Microsoft's partners in shutting down the botnet, Kaspersky Labs. The company said that it had found evidence of malware code that was similar to the one used by the Kelihos botnet. However, Microsoft said, " ... analysis of these samples and continuing observations of Kelihos-infected computers have demonstrated no known re-employment of the original Kelihos botnet by botherders."